Diagram showing SnakeDisk USB worm infection process targeting Thailand IPs

China-linked threat actor Mustang Panda has deployed a new USB worm called SnakeDisk, alongside updated TONESHELL backdoor variants, to target devices with Thailand-based IP addresses. SnakeDisk spreads via USB drives by hiding files and tricking users into executing a malicious payload named "USB.exe." Once active, it installs the Yokai backdoor, enabling remote command execution.

Diagram showing SnakeDisk USB worm infection process targeting Thailand IPsDiagram showing SnakeDisk USB worm infection process targeting Thailand IPs

IBM X-Force, tracking Mustang Panda as Hive0154, notes that the group has been active since 2012 and uses sophisticated techniques like DLL side-loading and proxy-based C2 communication to evade detection. The new TONESHELL8 and TONESHELL9 variants support parallel reverse shells and include junk code from ChatGPT to resist analysis.

Diagram showing SnakeDisk USB worm infection process targeting Thailand IPsDiagram showing SnakeDisk USB worm infection process targeting Thailand IPs

Yokai shares similarities with other Hive0154 malware families like PUBLOAD and TONESHELL, indicating a shared development ecosystem. The focus on Thailand suggests a specialized subgroup within Mustang Panda. IBM warns that Hive0154 remains a highly capable and evolving threat actor with multiple active malware clusters.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security